Last week, the Government Digital Service (GDS) dedicated a whole day to talking about what it’s up to, at its first Sprint event in two years. About time too, many observers said, since GDS seemed to have gone to ground over the past six months, notable mostly for its silence even at a time when Theresa May diminished its role in Whitehall by stripping away responsibility for data policy.
However, it tells you something about how GDS is perceived at the moment that the biggest news headlines from the day came instead from a 10-minute press briefing given to journalists on the sidelines of the event.
During a day of presentations and workshops showcasing the work of GDS, its Gov.uk Verify digital identity system was barely mentioned. But when Nic Harrison, director of service design and assurance, digital identity at GDS – the man in charge of Verify – talked to Computer Weekly and others, he opened up something of a Pandora’s Box.
To Harrison’s credit, his openness was welcome – GDS’s responses to Computer Weekly questions about Verify have for some time bordered on monosyllabic, and have often been information-free to the point of being meaningless.
All the while, the players in the UK’s burgeoning digital identity ecosystem have grown ever-more frustrated with the lack of progress on Verify.
Harrison conceded that Verify adoption is poor – “still not stellar,” as he put it. He denied there was ever any fight between GDS and other Whitehall departments over Verify, citing “very sound operational reasons” to justify the lack of take-up.
That’s not what sources in some of those other departments have consistently said, but maybe they see things differently from outside GDS. Or perhaps “operational reasons” includes Verify’s inability to be used by companies or intermediaries – an essential requirement for HM Revenue & Customs (HMRC) – or to work for Universal Credit claimants with little digital footprint.
Harrison also cited departmental cost controls introduced in the 2015 spending review, and the demands of Brexit as further reasons for the problems afflicting Verify.
“They’re worrying about EU exit, so we are frankly just not going to get hundreds of new services being digitised in the next year to bring on Verify,” he said.
As some observers have noted, GDS was given £450m in the spending review, a significant portion of which was earmarked for Verify – in return for an anticipated £1.1bn savings. But because of the poor performance of Verify, GDS hasn’t been able to spend all the money it was allocated for the project, and has been under pressure to return that unspent budget to the Treasury.
Brexit? In February 2017, nearly eight months after the EU referendum, the government transformation strategy committed GDS to delivering to 25 million users of Verify by 2020.
Perhaps it’s unsurprising, therefore, that patience among key players in the digital identity community is wearing thin.
Even OIX, the standards body that is largely funded by the Cabinet Office, and which GDS chose to help develop the market for Verify, is starting to publicly criticise progress. In a report published in April, pointedly titled Digital identity in the UK: The cost of doing nothing, OIX said: “The UK is among an ever-smaller group of developed nations without a national digital identity infrastructure.”
The report added: “While over 60 countries around the world have developed or are close to launching a digital identity scheme, digital identity developments in the UK have been more limited… We have seen the government’s own identity scheme Gov.uk Verify emerge, but it has yet to reach the widespread adoption it was targeting.”
Behind gentle words, often high criticism lies.
Experts highlight a sense of déjà vu in GDS’s latest comments on Verify. Here is a comment from one longstanding digital identity expert, to Computer Weekly:
“All the good (and bad) words on standards, industry engagement, as well as dogma about hubs seemed unchanged from [a] presentation to the Department for Trade and Industry in 2011. European interoperability demands were news at the Manchester declaration in 2005 – not delivered by 2010, so who thought that what was due in 2013 would be here by 2018? Local government still seemed excluded from contribution to provision.
“No battles? Perhaps those battle-scarred by the bitter turf war with DWP have all gone – and those in HMRC changed sides? Scotland didn’t engage. Defra and NHS weren’t exactly enthusiastic. And the missing commercial model for Verify? Not only is there no discernible interaction with active groups like Kantara, even the usually obsequious OIX’s latest report has indicated that all is not well in the UK.”
Other identity experts lament how the delays in Verify have hindered the development of a UK identity ecosystem, and warn that the UK is slipping down the list of digital economy nations as a result. Some have called for greater involvement and leadership from banks, especially in light of recent financial industry regulations such as PSD2 and open banking.
Change of strategy
GDS director general Kevin Cunnington was due to speak at an event on digital identity later this week – according to the latest update on the event website he has mysteriously disappeared, with Nic Harrison stepping up instead.
Rumours grow that GDS is considering a change of strategy for Verify. At Sprint, Harrison confirmed Computer Weekly’s story that GDS is moving towards promoting “Verify compliant” identity providers, rather than pushing Verify itself as a product.
He also partly acknowledged concerns about the role of the existing Verify identity providers, who have an effective monopoly on public sector ID where Verify is in use.
Harrison said he wants to see an ecosystem based on interoperability and standards – with government as the “arbiter”, not the provider. As the old saying goes, the great thing about standards is there are so many of them to choose from.
So it would appear that GDS is slowly and quietly starting to acknowledge the flaws in the current Verify plan – and hopes to extricate itself through a path of least embarrassment. A new strategy is emerging that will place greater responsibility on the private sector to drive the UK’s digital identity infrastructure.
The next question will be whether that’s enough to relieve the frustration caused by Verify so far, and stimulate the functioning identity ecosystem that the UK’s digital economy so desperately needs.